Why do I get a "WAFInvalidParameterException" error in AWS WAF?

3 minute read
0

I want to know why I get the "WAFInvalidParameterException" error.

Short description

If the operation that you're performing has parameters that AWS WAF doesn't recognize, then the operation fails. One of the errors that AWS WAF returns is WAFInvalidParameterException. The following are common causes of this error:

  • A parameter name or value that you specified isn't valid.
  • A nested statement isn't valid.
  • A web access control list (web ACL) was updated with a DefaultAction that isn't one of the available types.
  • The ARN that's referenced in the request is from a resource that can't be associated to the web ACL.

Resolution

The parameter name or value isn't recognized

If AWS WAF doesn't recognize a parameter value, then you see a message similar to the following example:

"An error occurred (WAFInvalidParameterException) when calling the CreateRuleGroup operation: Error reason:
The scope is not valid., field: SCOPE_VALUE, parameter: <parameter value>"

For example, a Scope parameter value that's not REGIONAL or CLOUDFRONT returns the preceding error.

To troubleshoot the error, complete the following steps:

  1. Identify the parameter value that AWS WAF doesn't recognize.
  2. Modify the parameter to a value that AWS WAF supports. For more information, see AWS WAFV2.

The resource type isn't recognized

AWS WAF can associate with an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, or AWS AppSync GraphQL API. If you associate with a different resource type, then you see a message similar to the following example:

"An error occurred (WAFInvalidParameterException) when calling the AssociateWebACL operation: Error reason:
The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: <resource arn"

To troubleshoot the error, complete the following steps:

  1. Identify the parameter value that AWS WAF doesn't recognize.
  2. Modify the parameter to a resource that AWS WAF supports.

Note: The ARN for the resource that you associate with the web ACL must be in one of the following formats:

  • Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
  • Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
  • AWS AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId
  • Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id
  • AWS App Runner service: arn:aws:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id

The DefaultAction value isn't recognized

You can set the AWS WAF DefaultAction field to Allow or Block. If you set the field to anything else, then you receive an error similar to the following example:

"You tried to update a Web ACL with a DefaultAction that isn't among the types available at DefaultAction."

For more information on acceptable values, see Request syntax.

References

Deciding on the default action for a web ACL

Class WAFInvalidParamterException

Namespace WAFInvalidParameterException

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago